Read any security blog on the internet today and they’ll tell you two things:
1) You need a really strong password with lots of upper/lower case letters, numbers, and special characters
2) You need a different one of these super-passwords for each and every website you use
That seems a bit harsh: that’s a lot of crazy passwords to remember just to stay safe online.
So do you really need a super strong password? A group of researchers recently published a paper through Microsoft Research entitled “An Administrator’s Guide to Internet Password Research.”
In that guide, researchers come up with some surprising results. Here are some of the interesting findings from the report:
-The researchers realized that “much of the available guidance lacks supporting evidence” when it comes to online password based security. So, the researchers “set out to examine the usefulness of password composition policies, forced password expiration and password lockouts.”
-Here’s their conclusion: “creating strong passwords is wasted effort a lot of the time”
-Instead of encouraging its users to create stupidly long and difficult passwords, organizations would be better off investing resources in securing their own systems.
-Basically, passwords offload the burden of security to end users. To make matters worse, that burden is usually just in the form of advice or suggestions – not concrete policies that are guaranteed to work.
-Researchers suggest that the ideal password for an online service should be able to withstand over 1 million online guesses to be considered safe. A password that could withstand only 100 guesses, on the other hand, would be deemed an “extreme” risk.
-One million guesses might sound like a lot, but it’s really not. Even if you just used five random letters out of the 26 letters in the alphabet, you’d be able to generate 11,881,376 different passwords. Of course, most hacking programs don’t randomly guess all different letter combinations: they comb through a list of the most popular passwords until they find one that works. So as long as your five letter word is something like lsCrU and not “Apple”, you should be fine.
-All of the above research caters to online attacks. Facebook, Twitter, Dropbox, and other hacking attacks would all be considered online attacks. Offline attacks, on the other hand, require far greater security because you cannot limit the number of guesses the attacker is taken.
-So while Facebook may prevent password attempts after five guesses, an offline attacker wouldn’t have to worry about that limit. In fact, hacking the password is inevitable: it’s just a matter of when, which is based on the power of the computer.
-When researchers looked at offline passwords, they suggested using a password capable of withstanding 100 trillion guesses, or 10^14.
-Fortunately, offline attacks are way more difficult to pull off than online attacks. If someone has offline access to your computer, then they may not even need to guess your password: they might already have everything they need.
TL;DR
The most important lesson to get from this is:
-Online passwords don’t need to be as strong because online services impose limits on the number of guesses. Make sure it can withstand 1 million password guesses.
-Offline passwords need to be extremely strong because there are no “guess” limits. Make sure it can stand 100 trillion guesses.
If you’re interested in doing some heavy academic reading on online security today, you can read the full report here.